MDhex Background

Affecting a range of CARESCAPE patient monitoring devices manufactured by GE Healthcare, the bundle of vulnerabilities collectively disclosed in CISA Advisory ICSMA-20-023-01, first came to the attention of CyberMDX security researchers through an investigation into the CIC Pro device.

The CIC Pro is a workstation used by the hospital staff to view all patient physiological data and waveforms, together with patient demographic data, in real-time from a single visual array. This data is transmitted from different patient-side monitors and collected via a shared network. The CIC Pro may also be used to centrally manage distributed monitors — for tasks such as patient admission, time & date synchronization, and setting alarm limits.

These six vulnerabilities, collectively referred to as "MDhex", were reported to GE on September 18, 2019, and after being verified, were responsibly disclosed on January 23, 2019. In intervening months, CyberMDX, GE, and CISA worked together to fully understand the technical basis of the vulnerabilities so that subsequent mitigation efforts could be properly and effectively managed.

The CIC Pro is not the only GE/CARESCAPE product affected by these vulnerabilities. Other devices in which these vulnerabilities are found are:

Central Information Center (CIC), versions 4.x and 5.x

CARESCAPE Central Station (CSCS), versions 1.x and 2.x

B450 patient monitor, version 2.x

B850 patient monitor, versions 1.x and 2.x

Apex Pro Telemetry Server/Tower, versions 4.2 and earlier

CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior

B650 patient monitor, versions 1.x and 2.x

Relevant Product Components

Some of the vulnerable devices carry their information using standard HDD and/or memory cards. In these devices, storage is unencrypted, which makes it easy to read and investigate.

Additionally, some of the affected devices may be operated by a hardened version of Windows XP Embedded, with a restricted user account.

Vulnerability details

SSH private key exposed

An SSH server installation allows for the remote management of a device via SSH client.

While SSH is designed for Linux-based devices, the affected Windows-based devices carry an installation of Cygwin that allows Linux programs to run on Windows.

Usually, an SSH server configuration will contain a file that holds public keys of entities authorized to connect. In the case of the affected devices, the configuration also contains a private key. (Best practices would demand that these keys be kept by the vendor and not make their way onto devices in circulation.) The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products. Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device's very availability as well as the confidentiality and integrity of any data it holds.

Affected Devices

CIC (versions 4.x, 5.x)

CSCS (version 1.x)

Apex Telemetry Server (versions 4.2 and earlier)

Mitigations and Recommendations

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 22 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.

Vulnerability details

SMB with hard-coded credentials allows remote file access

Using hard-coded credentials that are universally shared across an entire line of devices in the CARESCAPE and GE Health family of products, an attacker could establish a remote SMB connection and receive read/write access to all files on the system.

The credentials underlying this vulnerability can be obtained by performing a password recovery on the Windows XP Embedded operating system of affected devices. Once these credentials have been obtained, other devices can be easily breached. This represents a considerable expansion of the network attack surface.

Affected Devices

CIC (versions 4.x, 5.x)

CSCS (version 1.x)

Apex Telemetry Server (versions 4.2 and earlier)

Carescape Telemetry Server (versions 4.3 and earlier)

Mitigations and Recommendations

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 445 and 137 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.

Vulnerability details

MultiMouse / Kavoom KM allows remote control

MultiMouse / Kavoom KM software can be run to allow remote keyboard/mouse and clipboard control of a machine. The intention is to allow a user to centrally manage and control multiple workstations from a single keyboard/mouse for reasons of efficiency/convenience. In the case of this vulnerability, such functionality can be readily abused, with the ability to achieve connections commandeer devices without any credential controls. Practically speaking, this could give hackers a route to alter device settings and overwrite data.

Affected Devices

CIC (versions 4.x, 5.x)

CSCS (version 1.x)

Apex Telemetry Server (versions 4.2 and earlier)

Carescape Telemetry Server (versions 4.3 and earlier)

Mitigations and Recommendations

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to any open ports 5225 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.

Vulnerability details

VNC allows remote control

VNC is a software used for remote desktop access. Credentials for this access are stored in an insecure manner and can be easily obtained. What's more, these credentials can also be found in publicly available and easily searchable product documentation. It must again be noted that these hard-coded credentials are universally shared across an entire line of devices in the CARESCAPE and GE Health product families, vastly expanding network attack surfaces. Using these credentials, an attacker can remotely connect to and assume control of the device.

Affected Devices

CIC (versions 4.x, 5.x)

CSCS (version 1.x)

Apex Telemetry Server (versions 4.2 and earlier)

Carescape Telemetry Server (versions 4.3 and earlier)

Mitigations and Recommendations

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 5800 and 5900 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.

Vulnerability details

Webmin is deprecated and vulnerable

Webmin is a web-based system configuration tool. The Webmin version used in affected devices is deprecated (1.250), opening them up to a number of vulnerabilities with known exploits in the wild.

For example, CVE-2006-3392 details the possibility for arbitrary file read on such devices.

Affected Devices

CIC (versions 4.x, 5.x)

CSCS (version 1.x)

Apex Telemetry Server (versions 4.2 and earlier)

Carescape Telemetry Server (versions 4.3 and earlier)

B450 version 2.x

B650 / B850 versions 1.x, 2.x

Mitigations and Recommendations

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open port 10000s on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.

Vulnerability details

Software update manager allows remote file upload

GE devices come pre-loaded with a software update manager to facilitate the remote deployment of updates.

Some of the affected devices would accept any incoming update, while others will require permissions based on the same SSH key exposed to CVE-2020-6961 together with the software update manager. Either way, the result is a state of significant compromise, wherein fraudulent updates can be executed to exhaust drive resources or install malicious software.

Affected Devices

CIC (versions 4.x, 5.x)

CSCS (version 1.x)

Apex Telemetry Server (versions 4.2 and earlier)

Carescape Telemetry Server (versions 4.3 and earlier)

B450 version 2.x

B650 / B850 versions 1.x, 2.x

Mitigations and Recommendations

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 10001 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.

Credit

About CyberMDX’s Cybersecurity Research & Analysis Team

CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The comprehensive threat intelligence analyst team tirelessly works to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team’s researchers, white hackers and engineers collect information about potential and existing threats to understand attacker motivations, intentions, and methodology and deliver the best protection against attacks and malware.